Each year hundreds of billions of dollars are lost by companies due to cybercrimes committed by criminals. These attacks vary from sophisticated hacking to primitive fraud attempts.
However, with the right preparation and countermeasures in place, companies can prevent certain types of cyberattacks, or at least mitigate the associated losses.
With increasing frequency, perpetrators are hacking employee email accounts (typically those belonging to the person responsible for payments in the company’s name) by sending a message from a specially-created email address differing only by one or two characters from the email address of an actual company business partner. The email contains a request that payments due to the business partner be wired to a new Hungarian (or other) bank account provided in the email sent from the fake email address. Unless the targeted employee notices the deception, he or she may well wire the funds to that new bank account. After payment, another perpetrator will carry out different money laundering operations, like transferring the fraudulently-acquired money to another bank account, often outside of the EU. Finally, with the help of “stooges,” the perpetrators can withdraw the wired money from the account in cash.
Another type of cybercrime is committed by hackers who break into a company’s IT system and extract a part of or an entire database. As a next step, they send an email or other message to a company executive or other responsible person demanding the transfer of funds (or more recently, bitcoins), threatening to disclose the illegally-obtained data to the public on the Internet if they do not receive payment. In some instances, hackers have carried through with their threats when funds were not credited in line with their demands, causing huge reputational and other losses to companies.
Potential Prevention or Defence Options
Preventing the first type of attack is much easier than recovering lost assets. Companies must bring these types of crimes to the attention of the personnel responsible for accounting, finance, and IT systems by organizing internal trainings and requiring that payment of funds be made only by the book (e.g., for all changes in bank accounts, a phone confirmation or other confirmation method should apply) and creating effective internal validation processes. Should such an attack take place, time is of the essence. In our experience, if a company acts quickly in filing a police report and asking for the relevant bank accounts to be frozen, there is a chance that at least some amounts can be recovered.
The second type is more difficult to prevent. Many companies spend excessive amounts of money on IT – especially IT security – but the sufficiency of such systems can only be truly measured when an attack occurs, as even less-developed IT systems are likely to detect an attempt. After a successful attack, it is very difficult to move forward quickly. Therefore, all companies should have a strategy in place to make sure that losses, if they occur, are minimized to the extent possible.
It appears that transferring money to Hungarian bank accounts is extremely popular among the perpetrators of such cybercrimes, which brings up the question of how regulations concerning the opening of bank accounts and wire transfer operations can be tightened or weak points of the system detected.
Cybercrimes have also caught the attention of the authorities. On April 15, 2013 Hungary established the National Cyber Security Center to fight such crimes, and at a European level the Directive on Security of Network and Information Systems was adopted in 2016 to strengthen cooperation between authorities. In addition, the rules of the General Data Protection Regulation (GDPR), which comes into force on May 25, 2018, also contain mandatory measures for companies. The GDPR will require companies to implement appropriate security measures to protect personal data processing operations, to carry out data protection impact assessments in connection with high-risk personal data processing (e.g., if the company is likely to be a target of cyber criminals) and, once an incident (cybercrime) occurs, to notify the local data protection officer within 72 hours.
Akos Nagy, Partner, and Aron Barta, Associate, Kinstellar
This Article was originally published in Issue 4.9 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.